FridaNamedPipesHooks - Transitioning to Nt* syscall stubs

14 Jun 2026

This is about FridaNamedPipesHooks tool on GitHub, it’s a bit better now.

What’s FridaNamedPipesHooks

FridaNamedPipesHooks is a Frida script (with a Python wrapper) that hooks Windows API functions to sniff messages sent/received over named pipes. It’s useful for quick debugging or security analysis of local IPC without needing kernel-mode drivers. I’ve made an update for it to be capture properly in more scenarios.

The update

While preparing for my EWUW Workshop, I noticed that some software doesn’t use the standard ReadFile or WriteFile APIs from kernel32.dll. Instead, they call the lower-level NtReadFile and NtWriteFile syscall stubs in ntdll.dll directly.

A specific case I found was .NET code calling System.IO.StreamWriter.Write, which uses System.IO.Pipes.PipeStream.WriteFileNative under the hood. Since WriteFileNative hits the ntdll stubs, my original script was missing all that traffic.

I’ve updated the script to hook these lower-level functions: NtCreateNamedPipeFile, NtCreateFile, NtWriteFile, NtReadFile

This should provide much better coverage. I also added few more tools doing the same (and better) with more complex initial setup if you need something more serious.

If you want to discuss, I’m here: Bluesky & X

malacupa.com

FridaNamedPipesHooks - Transitioning to Nt* syscall stubs

What’s FridaNamedPipesHooks

The update

Other Posts

BSides Prague 2026 Workshop - Beyond the Web: Exploration of Windows Userland Weaknesses 13 Jun 2026

lipcenum - small Linux IPC and system interaction enumerator 10 Jun 2026

How to Set Up OIDC SSO for Axis OS via Entra ID 13 Jan 2026